[go: up one dir, main page]

US20230024824A1 - Analysis apparatus, analysis method, and non-transitory computer readable mediumstoring analysis program - Google Patents

Analysis apparatus, analysis method, and non-transitory computer readable mediumstoring analysis program Download PDF

Info

Publication number
US20230024824A1
US20230024824A1 US17/785,487 US201917785487A US2023024824A1 US 20230024824 A1 US20230024824 A1 US 20230024824A1 US 201917785487 A US201917785487 A US 201917785487A US 2023024824 A1 US2023024824 A1 US 2023024824A1
Authority
US
United States
Prior art keywords
attack
vulnerabilities
vulnerability
virtual
route
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US17/785,487
Inventor
Hirofumi Ueda
Ryo MIZUSHIMA
Tomohiko Yagyu
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
NEC Corp
Original Assignee
NEC Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by NEC Corp filed Critical NEC Corp
Assigned to NEC CORPORATION reassignment NEC CORPORATION ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: MIZUSHIMA, RYO, UEDA, HIROFUMI, YAGYU, TOMOHIKO
Publication of US20230024824A1 publication Critical patent/US20230024824A1/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/034Test or assess a computer or a system

Definitions

  • the present disclosure relates to an analysis apparatus, an analysis method, and a non-transitory computer readable medium storing an analysis program.
  • Patent Literatures 1 and 2 are known.
  • Patent Literature 1 describes that in a security diagnostic system, intrusion routes to the information assets of a target system are searched for, and a list of vulnerabilities in the intrusion routes is displayed.
  • Patent Literature 2 describes that in a network vulnerability inspection apparatus, vulnerability test data of unknown vulnerabilities and previously-undiscovered security holes is automatically created, and a vulnerability test of the inspection target network equipment is conducted.
  • the related techniques such as those described in Patent Literatures 1 and 2
  • intrusion routes are searched for and vulnerability tests are conducted.
  • the related techniques are techniques for extracting vulnerabilities that are obviously present in the assets of the information system or vulnerabilities that are already-discovered, and thus there is a problem that it is difficult to grasp the vulnerabilities that may have an impact on the information system (vulnerabilities that are not yet confirmed of their existence but if discovered, may have an impact on the system).
  • the present disclosure has been made in view of the problem mentioned above, and an object of the present disclosure is to provide an analysis apparatus, an analysis method, and a non-transitory computer readable medium storing an analysis program, each of the apparatus, the method, and the program being adapted to grasp vulnerabilities that may have an impact on an information system.
  • An analysis apparatus includes:
  • setting means for setting virtual vulnerabilities in a plurality of nodes configuring an information system to be analyzed
  • extraction means for extracting an attack route of the information system based on the set virtual vulnerabilities
  • discrimination means for discriminating vulnerabilities to be monitored based on the virtual vulnerabilities in the extracted attack route.
  • An analysis method includes:
  • a non-transitory computer readable medium stores an analysis program for causing a computer to execute the processing of:
  • an analysis apparatus an analysis method, and a non-transitory computer readable medium storing an analysis program, each of the apparatus, the method, and the program being adapted to grasp vulnerabilities that may have an impact on an information system.
  • FIG. 1 is a flowchart showing a related vulnerability management method
  • FIG. 2 is a configuration diagram showing an outline of an analysis apparatus according to example embodiments
  • FIG. 3 is a diagram for describing the vulnerability types according to a first example embodiment
  • FIG. 4 is a schematic diagram showing a configuration diagram of an analysis system according to the first example embodiment
  • FIG. 5 is a diagram showing an example of virtual vulnerabilities according to the first example embodiment
  • FIG. 6 is a flowchart showing an operation example of the analysis system according to the first example embodiment
  • FIG. 7 is a diagram showing a configuration example of an information system that is analyzed by the analysis system according to the first example embodiment
  • FIG. 8 is a diagram for describing a method of analyzing an attack route according to the first example embodiment
  • FIG. 9 is a diagram showing an example of analytical elements in an attack route according to the first example embodiment.
  • FIG. 10 is a diagram showing an example of an attack graph according to the first example embodiment
  • FIG. 11 is a diagram showing an example of virtual vulnerabilities in the attack route according to the first example embodiment
  • FIG. 12 is a diagram showing an example of virtual vulnerabilities in the attack route according to the first example embodiment
  • FIG. 13 is a diagram showing a display example of an analysis result according to the first example embodiment
  • FIG. 14 is a diagram showing a display example of an analysis result according to the first example embodiment.
  • FIG. 15 is a configuration diagram showing an outline of hardware of a computer according to example embodiments.
  • FIG. 1 shows a related vulnerability management method. This method is mainly performed by an administrator.
  • a vulnerability of a target information system is first recognized (S 110 ), and the recognized vulnerability is addressed (S 120 ).
  • a configuration of the information system is acquired (S 101 ).
  • Software and hardware included in the information system are acquired by referring to a detailed design document of the information system and obtaining system configuration information of the information system.
  • vulnerability information of the information system is collected (S 102 ).
  • the vulnerability information of the acquired software and hardware is collected from alert information by IPA (Information-technology Promotion Agency), public databases of vulnerability information such as CVE (Common Vulnerabilities and Exposures) and NVD (National Vulnerability Database).
  • IPA Information-technology Promotion Agency
  • CVE Common Vulnerabilities and Exposures
  • NVD National Vulnerability Database
  • FIG. 2 shows an outline of an analysis apparatus according to the example embodiments.
  • an analysis apparatus 10 according to the example embodiments includes a setting unit 11 , an extraction unit 12 , and a discrimination unit 13 .
  • the setting unit 11 sets virtual vulnerabilities in nodes constituting an information system.
  • the extraction unit 12 extracts an attack route of the information system based on the virtual vulnerabilities set by the setting unit 11 . For instance, the extraction unit 12 extracts, using an attack route generation technique (an attack graph generation technique), a potential attack route in the information system to which the virtual vulnerabilities are set.
  • an attack route generation technique an attack graph generation technique
  • the discrimination unit 13 discriminates the vulnerabilities to be monitored based on the virtual vulnerabilities in the node in the attack route extracted by the extraction unit 12 . For example, the discrimination unit 13 grasps the list of vulnerabilities that appear in a section of the extracted attack route from the starting point of the attack to the end of the attack, and in the list of vulnerabilities that appear in a section of the extracted attack route, the vulnerabilities that are already-discovered/previously-undiscovered at the current stage are investigated, and the undiscovered vulnerabilities are considered to be vulnerabilities to be monitored.
  • potential attack routes are extracted based on the virtual vulnerabilities that are pseudo vulnerabilities and by discriminating the virtual vulnerabilities in the extracted attack routes, it is possible to grasp the vulnerabilities that could establish an attack route in the information system, that is, it is possible to grasp the vulnerabilities that could have an impact on the information system.
  • the vulnerabilities are classified into predetermined types that are arbitrary determined based on the content of the attack. While various vulnerabilities are already discovered for each software (product) and for content of each attack, the vulnerabilities can be classified into several types based on the “attack category” and the “impact of exploitation”.
  • the “attack category” is a category such as remote attack/local attack and the like (an intrusion method).
  • the “impact of exploitation” refers to an impact on the system when the vulnerabilities are exploited (the result of the attack).
  • FIG. 3 shows a specific example of the classification of the types of vulnerabilities.
  • the vulnerability information includes the “target product”, which is the target of the attack and the “content of the vulnerability”, which is the details of the vulnerability.
  • the target products of the vulnerability X and the vulnerability Y are “software A” and “software B”, respectively, and while the target products differ, the contents of the vulnerabilities are the same, that is “allowing an attacker to execute a malicious code by exploiting the vulnerabilities remotely”.
  • the vulnerability type of the vulnerability X falls under the category of “remote” for the attack category and under the category of “arbitrary code execution” for the impact of exploitation, and the vulnerability type of the vulnerability Y and the impact of exploitation of the vulnerability Y fall also under the same attack category and the same impact of exploitation as those of the vulnerability X.
  • the vulnerabilities (the vulnerability information) into the vulnerability types
  • the vulnerabilities can be handled as the same type.
  • FIG. 4 is a configuration example of an analysis system 1 according to the present example embodiment.
  • the analysis system 1 according to the present example embodiment analyzes the potential vulnerabilities (the attack route) in the information system to be analyzed and visualizes the analysis result.
  • the analysis system (the analysis apparatus) 1 includes a risk visualizing apparatus 100 , a system configuration information DB (database) 200 , and a vulnerability information DB 300 .
  • the system configuration information DB 200 and the vulnerability information DB 300 may be connected to the risk visualizing apparatus 100 via a network such as the internet or may be directly connected to the risk visualizing apparatus 100 . Further, the system configuration information DB 200 and the vulnerability information DB 300 may be storage devices incorporated in the risk visualizing apparatus 100 .
  • the system configuration information DB 200 is a database for storing, in advance, the system configuration information of the information system to be analyzed.
  • the system configuration information includes hardware information, software information, network information, various setting information, and the like of node devices (terminals) constituting the information system.
  • the vulnerability information DB 300 is a database for storing the vulnerability information of already-discovered (disclosed) vulnerability. As shown in, for instance, FIG. 3 , the vulnerability information includes the target product and the content of the vulnerability for each vulnerability. Further, the vulnerability information is classified into vulnerability types (attack category and impact of exploitation) in advance.
  • the vulnerability information DB 300 may store, in addition to the vulnerability information that is made public by public organizations such as IPA, CVE, NVD, and JVN (Japan Vulnerability Notes), vulnerability information that is made public by security vendors and other vendors. Further, as long as the vulnerability information that is made public can be acquired, the configuration is not limited to databases and may be any configuration such as a blog.
  • the risk visualizing apparatus 100 includes a virtual vulnerability setting unit 101 , an analysis element setting unit 102 , an attack route analysis unit 103 , an attack route extraction unit 104 , a vulnerability analysis unit 105 , and a display unit 106 . Note that other configuration may be adopted as long as the operations described later can be performed.
  • the virtual vulnerability setting unit 101 sets the virtual vulnerabilities in the nodes constituting the information system to be analyzed.
  • the virtual vulnerabilities are vulnerability type of virtual (pseudo) vulnerabilities.
  • the virtual vulnerabilities encompass vulnerabilities of all possible vulnerability types, that is, the virtual vulnerabilities include all of the prescribed vulnerability types into which the vulnerabilities are classified. By setting the above-described virtual vulnerabilities, it is possible to extract all potential attack routes.
  • FIG. 5 shows a specific example of virtual vulnerabilities.
  • the vulnerability type includes the “attack category” and the “impact of exploitation”, and the virtual vulnerabilities are every combination of the type of “attack category” and the type of “impact of exploitation”.
  • eight types of vulnerabilities are the virtual vulnerabilities.
  • FIG. 5 is a mere example and other types of virtual vulnerabilities may be included as necessary.
  • the “administrator privileges”, “general-user privileges”, and the like may be included in the attack category, or the “privilege escalation” and the like may be included in the impact of exploitation.
  • the analysis element setting unit 102 sets analysis elements such as an intrusion point (entry point) of the attack route in the information system and an attack target.
  • the analysis elements may be set in advance or may be set by a user operation or the like.
  • the attack route analysis unit 103 analyzes the attack route (the attack path) based on the analysis elements such as the set intrusion point and attack target.
  • the attack path extraction unit 104 generates the attack graph by using the attack graph generation technique (attack graph generation tool) based on the analysis result, and extracts all potential attack routes from the generated attack graph.
  • the attack graph is a graph showing attack steps assumed for the information system to be analyzed is applied, and nodes passing through the attack steps in order from the intrusion point to the attack target are connected.
  • the connection route of the nodes from the intrusion point to the attack target in the attack graph is the attack route.
  • the vulnerability analysis unit (the discrimination unit) 105 analyzes the virtual vulnerabilities in the extracted attack route and discriminates the vulnerabilities to be monitored.
  • the vulnerability analysis unit 105 discriminates the vulnerability to be monitored based on whether the virtual vulnerability in the attack route is vulnerability that is already discovered or not. When the virtual vulnerability in the attack route is previously-undiscovered vulnerability, the vulnerability analysis unit 105 determines that monitoring is to be performed for such undiscovered virtual vulnerability.
  • the display unit (the output unit) 106 is a display apparatus that displays the analysis result and the like and displays the discriminated vulnerability to be monitored and the like using the GUI (Graphical User Interface) and the like.
  • the display unit 106 distinguishably displays the vulnerability to be monitored in the attack route and the other vulnerabilities in the attack route.
  • the display unit 106 is a liquid crystal display, an organic EL display, or the like and may be an external device of the risk visualizing apparatus 100 . Note that the monitoring targets and the like may be output not only by displaying but also by other methods (by e-mails, data transmission or the like).
  • FIG. 6 shows an operation example (an analysis method) of the analysis system 1 according to the present example embodiment.
  • the risk visualizing apparatus 100 sets the virtual vulnerabilities (S 201 ).
  • the virtual vulnerability setting unit 101 generates the virtual vulnerabilities (the virtual vulnerability information) including all vulnerability types (e.g. 8 types) shown in FIG. 5 . Further, the virtual vulnerability setting unit 101 acquires the system configuration information of the information system to be analyzed from the system configuration information DB 200 and sets the generated virtual vulnerabilities in each node configuring the information system.
  • the node is a device such as a terminal or a server that could be the target whose vulnerabilities are exploited and is, for instance, a hardware but it may be a software.
  • FIG. 7 shows a configuration example of an information system to be analyzed.
  • the information system 400 is a production management system including an information network 410 , a control network 420 , and a field network 430 .
  • the information network 410 is connected to the internet 401 via a firewall FW 1 and includes an OA terminal 411 .
  • the control network 420 is connected to the information network 410 via a firewall FW 2 , and includes a log server 421 , a maintenance server 422 , a monitoring control server 423 , and an HMI (Human Machine Interface) 424 .
  • the field network 430 is connected to the control network 420 via programmable logic controllers PLC 1 and PLC 2 , and includes IoT device 431 , FA (Factory Automation) device 432 , and the like.
  • the virtual vulnerability setting unit 101 sets the virtual vulnerabilities in every node in the information system 400 .
  • virtual vulnerabilities are set in the OA terminal 411 , the log server 421 , the maintenance server 422 , the monitoring control server 423 , the HMI 424 , the IoT device 431 , and the FA device 432 .
  • the virtual vulnerabilities may be set in the firewalls FW 1 and FW 2 , repeaters such as the programmable logic controllers PLC 1 and PLC 2 , and the like.
  • the analysis element setting unit 102 sets analytical elements such as the intrusion point of the attack route and the target of attack, and the attack route analysis unit 103 analyzes the attack route based on the set analytical elements.
  • the display unit 106 displays a display screen 501 like that shown in FIG. 8 , which enables the user to set the analytical elements via the GUI of the display screen 501 .
  • the system configuration of the information system 400 is displayed on the display screen 501 , and the user selects the node to thereby set the analytical elements such as the intrusion point and the attack target.
  • Nodes may be added to the information system as necessary.
  • the internet 401 and a newly added bring-in PC (Personal Computer) 411 may be set as the intrusion point of attack and the monitoring control server 423 and the HMI 424 may be set as the attack targets.
  • PC Personal Computer
  • the attack route analysis unit 103 may analyze the attack route from the set intrusion point and the attack target or may analyze the arbitrarily designated attack route. For example, as the analytical elements, as shown in FIG. 9 , in addition to the intrusion point and the attack target, the final attack (the result of the attack), the assumed attack path (the attack route) between the nodes, and the like are set, and the attack route is analyzed.
  • the attack route extraction unit 104 generates an attack graph using the attack graph generation technique based on the information that is set and analyzed and extracts all potential attack routes. That is, by inputting the system configuration information to which the virtual vulnerabilities are set to the attack graph generation technique, an attack graph showing an attack from the intrusion point to the attack target via the virtual vulnerabilities of the nodes is generated.
  • FIG. 10 shows a specific example of an attack graph to be generated.
  • the attack graph shown in FIG. 10 includes all attack routes from the internet 401 to the attack target with the internet 401 being the intrusion point.
  • the attack routes r 1 and r 2 are examples of the attack routes from the internet 401 to the monitoring control server 423 .
  • the attack route r 1 is a route of intrusion from the internet 401 to attack the monitoring control server 423 via the OA terminal 411 , the log server 421 , and the maintenance server 422 .
  • the attack route r 1 is a route of intrusion from the internet 401 to attack the monitoring control server 423 via the OA terminal 411 and the log server 421 .
  • the attack route consists of attack paths between nodes.
  • Each attack path has the path establishment conditions set for node-to-node attacks to be established.
  • the attack route r 2 includes an attack path p 1 between the internet 401 and the OA terminal 411 , an attack path p 2 between the OA terminal 411 and the log server 421 , and an attack path p 3 between the log server 421 and the monitoring control server 423 . That is, when attack paths p 1 to p 3 subsequently receive attacks that meet the path establishment conditions, attack to the attack target succeeds along the attack route r 2 .
  • the path establishment conditions of the attack path includes, for example, the attack source, the attack target, the attack conditions (the condition of attack source), the result of the attack (the conditions of the attack target), and the means of attack (the virtual vulnerabilities).
  • the vulnerability analysis unit 105 analyzes the virtual vulnerabilities in the attack route extracted from the attack graph.
  • the vulnerability analysis unit 105 refers to each attack path included in the attack route in the attack graph and grasps all virtual vulnerabilities (a list of vulnerabilities) in the attack route from the starting point of the attack to the end of the attack. All attack routes included in the attack graph may be analyzed or only the shortest route may be analyzed. By analyzing all attack routes, it is possible to comprehensively analyze potential attack routes. Further, since the shortest route has the highest risk of being attacked, by analyzing only the shortest route, it is possible to effectively analyze the vulnerabilities of high risk.
  • FIG. 11 shows an example of virtual vulnerabilities grasped in the attack route.
  • the path establishment conditions of the attack path p 2 includes an OA terminal for the attack source, a log server for the attack target, execution of arbitrary code on the attack conditions, execution of arbitrary code on the attack results, and virtual vulnerability V 1 and virtual vulnerability V 2 for means of attack.
  • the virtual vulnerabilities V 1 and V 2 are any type of the virtual vulnerabilities shown in, for example, FIG. 5 .
  • the virtual vulnerability V 1 that enables an arbitrary code execution on the OA terminal 411 and the virtual vulnerability V 1 and the virtual vulnerability V 2 that enable an arbitrary code execution on the log server 421 are grasped.
  • the virtual vulnerability V 3 that enables the data access by the log server 421 and the virtual vulnerability V 3 that enables the data access by the monitoring control server 423 and the virtual vulnerability V 1 that enables arbitrary code execution are grasped.
  • the monitoring control server 423 can be accessed. Further, the monitoring control server 423 performs data access according to the virtual vulnerability V 3 and when arbitrary code execution is performed according to the virtual vulnerability V 1 , the final critical assets are affected.
  • the vulnerability to be monitored is discriminated.
  • the risk visualizing apparatus 100 checks whether the virtual vulnerabilities are vulnerabilities that are already-discovered/previously-undiscovered (S 205 ), and when the virtual vulnerability is vulnerability that is previously-undiscovered, such previously-undiscovered vulnerability (the vulnerability type) is to be monitored (S 206 ).
  • the vulnerability analysis unit 105 refers to the vulnerability information DB 300 that stores the already-discovered vulnerabilities and confirms whether each virtual vulnerability (the vulnerability type) that has been grasped in the attack route is the vulnerability that has been already discovered or not.
  • the vulnerability information DB 300 stores the vulnerability information including the vulnerability type of the vulnerability that is already discovered (disclosed).
  • the vulnerability type (the attack category and the impact of exploitation) of the virtual vulnerability and the vulnerability type of the already-discovered vulnerability are compared and whether the vulnerabilities match each other are checked for.
  • the vulnerability information DB 300 When there is no applicable vulnerability present in the vulnerability information DB 300 , that is, when the virtual vulnerability in the attack route is previously-undiscovered vulnerability, such previously-undiscovered virtual vulnerability (the vulnerability type) is determined as vulnerability that could establish an attack route and is to be monitored. Note that the already-discovered vulnerability may be included in the vulnerability to be monitored as necessary.
  • the virtual vulnerability V 1 of the OA terminal 411 and the virtual vulnerabilities V 1 and V 3 of the monitoring control server 423 are already-discovered vulnerabilities, and the virtual vulnerabilities V 1 to V 3 of the log server 421 are previously-undiscovered vulnerabilities. Then, when the virtual vulnerabilities V 1 to V 3 of the log server 421 that are vulnerabilities that previously undiscovered but later discovered as new vulnerabilities, an attack route will be established and so the virtual vulnerabilities V 1 to V 3 of the log server 421 are vulnerabilities to be monitored.
  • the risk visualizing apparatus 100 displays the analysis result (S 207 ).
  • the display unit 106 displays the vulnerability (the vulnerability type) to be monitored in the information system 400 and the attack route which includes the vulnerability in an identifiable manner. Further, only potential attack routes may be displayed, or the vulnerabilities to be monitored in the potential attack routes may be displayed.
  • FIGS. 13 and 14 show the display examples of the analysis results.
  • FIG. 13 is an example in which only the potential attack routes are displayed.
  • a display screen 502 includes, for example, a system information display region 502 a , an attack route information display region 502 b , and a reference information display region 502 c.
  • the system information display region 502 a displays the system configuration analyzed by the information system 400 , displays the set intrusion point and the attack target, and displays the extracted attack route from the intrusion point to the attack target.
  • the attack routes which include already-discovered vulnerabilities (the attack paths that are already existing) and the attack paths which include previously-undiscovered vulnerabilities (the potential paths for which vulnerabilities that are exploitable are not discovered) are displayed distinguishably.
  • the attack path 521 between the internet 401 and the OA terminal 411 is an attack path which includes already-discovered vulnerabilities and is shown by a solid line (e.g. a red solid line).
  • a solid line e.g. a red solid line.
  • the attack paths 522 to 526 from the OA terminal 411 to the monitoring control server 423 and the HMI 424 are attack paths which include previously-undiscovered vulnerabilities (non-attack routes), they are shown by dashed lines (e.g. blue dashed lines).
  • attack steps (the procedure of attack) in the analyzed attack route are displayed.
  • the attack step A 1 it is displayed that there is a possibility of the OA terminal 411 being infected with an email virus, and in the attack step A 2 , it is displayed that that the log server 421 cannot be intruded owing to the firewall FW 2 .
  • the attack route information display region 502 b displays detailed information (such as risks etc.) with respect to the attack route displayed in the system information display region 502 a . Such display is performed in correspondence with the attack steps in the attack route displayed in the system information display region 502 a .
  • the risk due to the attack path which includes the already-discovered vulnerabilities and the risk due to the attack path which includes previously-undiscovered vulnerabilities are displayed distinguishably (by changing colors or the like). For instance, in the display of the attack step A 1 , it is explained that there is a risk of the OA terminal 411 being attacked. Further, in the display of the attack step A 2 , it is explained that there is no risk of the system being intruded further than the log server 421 . In the attack step A 2 , a mark or the like indicating safety is displayed.
  • the reference information display region 502 c displays the reference information with respect to the detailed information of the attack route displayed in the attack route information display region 502 b . Display is performed in correspondence with the attack steps in the attack route in the similar manner as that performed in the attack route information display region 502 b . For example, in the attack step A 1 , since the attack route includes already-discovered vulnerabilities, as the reference information, link information (information source) of a website whose vulnerabilities are made public and the like are displayed as the reference information.
  • FIG. 14 is an example showing vulnerabilities that reveal the attack routes.
  • a display screen 503 includes, like the display screen shown in FIG. 13 , a system information display region 503 a , an attack route information display region 503 b , and a reference information display region 503 c.
  • the system information display region 503 a displays the system configuration and the attack route of the analyzed information system 400 like in the display example shown in FIG. 13 .
  • the attack path 531 is indicated by a solid line and the attack paths 532 to 536 are indicated by dashed lines.
  • the attack path 534 includes already-discovered vulnerabilities (vulnerabilities to be monitored) but since the attack path 534 is not connected to serve as an attack route, the attack path is indicated by bold dashed lines (e.g. red dashed lines).
  • attack steps in the attack route it is displayed in the attack step A 1 that the OA terminal 411 is infected with an email virus, in the attack step A 2 that the log server 421 is under a risk of being intruded, and in the attack step A 3 that the monitoring control server 423 is under a risk of being exploited of its vulnerabilities.
  • the attack route is connected whereby the attack path is shown in bold (e.g. blue bold letters).
  • the attack route information display region 503 b displays detailed information corresponding to the attack steps in the attack route displayed in the system information display region 503 a .
  • the attack step A 1 it is described that there a risk of the OA terminal 411 being attacked.
  • the attack step A 2 when vulnerability is discovered, it is explained that there is a risk of the log server 421 being intruded.
  • a mark or the like is displayed indicating that vulnerabilities are not yet discovered but attention needs to be paid thereto.
  • the reference information display region 503 c displays the reference information corresponding to the attack steps in the attack route displayed in the attack route information display region 503 b like in the display example shown in FIG. 13 .
  • the attack step A 1 and the attack step A 3 reference information related to the already-discovered vulnerabilities is displayed.
  • the attack step A 2 it is displayed that attention needs to be paid to the vulnerability information since the system may be intruded if vulnerability is discovered.
  • virtual vulnerabilities including all vulnerability types are set in every node of the information system, potential attack route is extracted using the attack graph generation technique, and the virtual vulnerabilities in the potential attack route is grasped. Based on whether the virtual vulnerability is the already-discovered/previously-undiscovered virtual vulnerability, when new vulnerability is discovered, discrimination is performed as to the possibility of the attack route being established.
  • the analysis method according to the first example embodiment may be implemented on a periodic basis. Since the database of the vulnerability information is updated as needed to thereby add new vulnerabilities, it is desirable to analyze vulnerabilities using more recent information. For example, the previous analysis result is stored in the storage device and by repeating determination as to whether the virtual vulnerabilities are those that are already-discovered/previously-undiscovered on a periodic basis, it is possible to detect that the vulnerability included in the attack route is newly discovered vulnerability. That is, the risk visualizing apparatus 100 may include a notification unit (an output unit) that refers to the vulnerability information DB 300 , detects whether or not vulnerability determined to be monitored is the newly discovered vulnerability, and issues a notification when the vulnerability is the newly discovered vulnerability.
  • a notification unit an output unit
  • each of the configurations in the above-described example embodiments is constituted by hardware and/or software, and may be constituted by one piece of hardware or software, or may be constituted by a plurality of pieces of hardware or software.
  • each apparatus and each function may be implemented by a computer 20 including a processor 21 such as a CPU (Central Processing Unit) and a memory 22 as a storage device.
  • programs (analysis programs) for performing the method according to the example embodiments may be stored in the memory 22
  • each function may be implemented by the processor 21 executing the programs stored in the memory 22 .
  • Non-transitory computer readable media include any type of tangible storage media. Examples of non-transitory computer readable media include magnetic storage media (e.g. floppy disks, magnetic tapes, hard disk drives, etc.), optical magnetic storage media (e.g. magneto-optical disks), CD-ROM (Read Only Memory), CD-R, CD-R/W, and semiconductor memories (such as mask ROM, PROM (programmable ROM), EPROM (Erasable PROM), flash ROM, RAM (random access memory), etc.).
  • the program may be provided to a computer using any type of transitory computer readable media. Examples of transitory computer readable media include electric signals, optical signals, and electromagnetic waves. Transitory computer readable media can provide the program to a computer via a wired communication line such as electric wires and optical fibers or a wireless communication line.
  • An analysis apparatus comprising:
  • setting means for setting virtual vulnerabilities in a plurality of nodes configuring an information system to be analyzed
  • extraction means for extracting an attack route of the information system based on the set virtual vulnerabilities
  • discrimination means for discriminating vulnerabilities to be monitored based on the virtual vulnerabilities in the extracted attack route.
  • each of the vulnerability types includes a type of intrusion method or a type of result of attack.
  • each of the virtual vulnerabilities is a combination of the type of intrusion method and the type of result of attack.
  • the analysis apparatus as described in any one of Supplementary notes 4 to 6, wherein the result of attack includes arbitrary code execution, data access, data tampering, and DoS (Denial of Service).
  • the analysis apparatus as described in any of Supplementary notes 1 to 14, further comprising output means for outputting the discriminated vulnerability to be monitored.
  • An analysis program for causing a computer to execute the processing of:

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Computer And Data Communications (AREA)

Abstract

An analysis apparatus (10) includes: a setting unit (11) configured to set virtual vulnerabilities in a plurality of nodes configuring an information system to be analyzed; an extraction unit (12) configured to extract an attack route of the information system based on the virtual vulnerabilities set by the setting unit (11); and a discrimination unit (13) configured to discriminate vulnerabilities to be monitored based on the virtual vulnerabilities in the extracted attack route extracted by the extraction unit (12).

Description

    TECHNICAL FIELD
  • The present disclosure relates to an analysis apparatus, an analysis method, and a non-transitory computer readable medium storing an analysis program.
    • BACKGROUND ART
  • In recent years, there has been a significant increase in cyberattacks that attack vulnerabilities in information systems, which increases threat to cybersecurity. Therefore, as the information systems including control systems and IoT (Internet of Things) continue to become more diverse and more complex, a major issue is how to address the ever-increasing vulnerabilities in the information systems.
  • As related techniques, for example, Patent Literatures 1 and 2 are known. Patent Literature 1 describes that in a security diagnostic system, intrusion routes to the information assets of a target system are searched for, and a list of vulnerabilities in the intrusion routes is displayed. Further, Patent Literature 2 describes that in a network vulnerability inspection apparatus, vulnerability test data of unknown vulnerabilities and previously-undiscovered security holes is automatically created, and a vulnerability test of the inspection target network equipment is conducted.
    • CITATION LIST Patent Literature
    • Patent Literature 1: Japanese Unexamined Patent Application Publication No. 2008-257577
    • Patent Literature 2: Japanese Unexamined Patent Application Publication No. 2005-354338
    SUMMARY OF INVENTION Technical Problem
  • In the related techniques such as those described in Patent Literatures 1 and 2, in order to analyze vulnerabilities in an information system, intrusion routes are searched for and vulnerability tests are conducted. However, the related techniques are techniques for extracting vulnerabilities that are obviously present in the assets of the information system or vulnerabilities that are already-discovered, and thus there is a problem that it is difficult to grasp the vulnerabilities that may have an impact on the information system (vulnerabilities that are not yet confirmed of their existence but if discovered, may have an impact on the system).
  • The present disclosure has been made in view of the problem mentioned above, and an object of the present disclosure is to provide an analysis apparatus, an analysis method, and a non-transitory computer readable medium storing an analysis program, each of the apparatus, the method, and the program being adapted to grasp vulnerabilities that may have an impact on an information system.
    • Solution to Problem
  • An analysis apparatus according to the present disclosure includes:
  • setting means for setting virtual vulnerabilities in a plurality of nodes configuring an information system to be analyzed;
  • extraction means for extracting an attack route of the information system based on the set virtual vulnerabilities; and
  • discrimination means for discriminating vulnerabilities to be monitored based on the virtual vulnerabilities in the extracted attack route.
  • An analysis method according to the present disclosure includes:
  • setting virtual vulnerabilities in a plurality of nodes configuring an information system to be analyzed;
  • extracting an attack route of the information system based on the set virtual vulnerabilities; and
  • discriminating vulnerabilities to be monitored based on the virtual vulnerabilities in the extracted attack route.
  • A non-transitory computer readable medium according to the present disclosure stores an analysis program for causing a computer to execute the processing of:
  • setting virtual vulnerabilities in a plurality of nodes configuring an information system to be analyzed;
  • extracting an attack route of the information system based on the set virtual vulnerabilities; and
  • discriminating vulnerabilities to be monitored based on the virtual vulnerabilities in the extracted attack route.
    • Advantageous Effects of Invention
  • According to the present disclosure, it is possible to provide an analysis apparatus, an analysis method, and a non-transitory computer readable medium storing an analysis program, each of the apparatus, the method, and the program being adapted to grasp vulnerabilities that may have an impact on an information system.
    • BRIEF DESCRIPTION OF DRAWINGS
  • FIG. 1 is a flowchart showing a related vulnerability management method;
  • FIG. 2 is a configuration diagram showing an outline of an analysis apparatus according to example embodiments;
  • FIG. 3 is a diagram for describing the vulnerability types according to a first example embodiment;
  • FIG. 4 is a schematic diagram showing a configuration diagram of an analysis system according to the first example embodiment;
  • FIG. 5 is a diagram showing an example of virtual vulnerabilities according to the first example embodiment;
  • FIG. 6 is a flowchart showing an operation example of the analysis system according to the first example embodiment;
  • FIG. 7 is a diagram showing a configuration example of an information system that is analyzed by the analysis system according to the first example embodiment;
  • FIG. 8 is a diagram for describing a method of analyzing an attack route according to the first example embodiment;
  • FIG. 9 is a diagram showing an example of analytical elements in an attack route according to the first example embodiment;
  • FIG. 10 is a diagram showing an example of an attack graph according to the first example embodiment;
  • FIG. 11 is a diagram showing an example of virtual vulnerabilities in the attack route according to the first example embodiment;
  • FIG. 12 is a diagram showing an example of virtual vulnerabilities in the attack route according to the first example embodiment;
  • FIG. 13 is a diagram showing a display example of an analysis result according to the first example embodiment;
  • FIG. 14 is a diagram showing a display example of an analysis result according to the first example embodiment; and
  • FIG. 15 is a configuration diagram showing an outline of hardware of a computer according to example embodiments.
    •  DESCRIPTION OF EMBODIMENTS
  • Hereinbelow, example embodiments will be described with reference to the example embodiments. In the drawings, the same structural elements are denoted by the same reference symbols and redundant explanations thereof are omitted where appropriate.
  • (Study Leading to Example Embodiments)
  • First, management of vulnerabilities in information systems are investigated. FIG. 1 shows a related vulnerability management method. This method is mainly performed by an administrator.
  • As shown in FIG. 1 , in the related vulnerability management method, a vulnerability of a target information system is first recognized (S110), and the recognized vulnerability is addressed (S120).
  • In the recognition of the vulnerability (S110), a configuration of the information system is acquired (S101). Software and hardware included in the information system are acquired by referring to a detailed design document of the information system and obtaining system configuration information of the information system.
  • Next, vulnerability information of the information system is collected (S102). The vulnerability information of the acquired software and hardware is collected from alert information by IPA (Information-technology Promotion Agency), public databases of vulnerability information such as CVE (Common Vulnerabilities and Exposures) and NVD (National Vulnerability Database).
  • Next, it is determined whether or not the vulnerabilities need to be addressed (S103). Based on the collected vulnerability information, it is determined whether or not the vulnerabilities of the software and the hardware should be addressed in the information system.
  • When it is determined that a countermeasure is needed, detection and analysis (S104) of an attack exploiting the vulnerability are performed as a countermeasure against the vulnerability (S120). By referring to a log of the information system, it is confirmed whether there is any trace of the attack which exploited the corresponding vulnerability. Depending on a result of the detection of the attack exploiting the vulnerability and the details of the vulnerability, necessary countermeasures such as prevention (mitigation measure) (S105), containment/eradication/recovery (S106), and prevention (permanent measure) (S107) shall be taken. In the prevention (mitigation measure) (S105), filtering of IP (Internet Protocol) addresses and URLs (Uniform Resource Locators) is set in the information system. The containment/eradication/recovery (S106) involve incident handling. In the prevention (permanent measure) (S107), a patch is installed in the information system.
  • With such a management method, for example, when a new vulnerability is discovered, an impact on the information system is assessed, and the administrator determines whether or not the vulnerability needs to be addressed. Safety of information systems can be maintained by addressing newly discovered vulnerabilities.
  • However, since the vulnerabilities in the information system are continuing to increase year by year, the number of the vulnerabilities which the administrators need to check for are increasing, and it is getting more difficult to determine whether or not vulnerabilities need to be addressed. That is, in the related techniques, every time vulnerability is discovered, impact of the newly discovered vulnerability on the information system is determined, and so all the newly discovered vulnerabilities must be checked (monitored) for their impacts on the information system.
  • Therefore, in the following example embodiments, by grasping and monitoring only the vulnerabilities that may have an impact on the information system, it is possible to reduce the burden of vulnerability management.
  • (Outline of Example Embodiments)
  • FIG. 2 shows an outline of an analysis apparatus according to the example embodiments. As shown in FIG. 2 , an analysis apparatus 10 according to the example embodiments includes a setting unit 11, an extraction unit 12, and a discrimination unit 13.
  • The setting unit 11 sets virtual vulnerabilities in nodes constituting an information system. The extraction unit 12 extracts an attack route of the information system based on the virtual vulnerabilities set by the setting unit 11. For instance, the extraction unit 12 extracts, using an attack route generation technique (an attack graph generation technique), a potential attack route in the information system to which the virtual vulnerabilities are set.
  • The discrimination unit 13 discriminates the vulnerabilities to be monitored based on the virtual vulnerabilities in the node in the attack route extracted by the extraction unit 12. For example, the discrimination unit 13 grasps the list of vulnerabilities that appear in a section of the extracted attack route from the starting point of the attack to the end of the attack, and in the list of vulnerabilities that appear in a section of the extracted attack route, the vulnerabilities that are already-discovered/previously-undiscovered at the current stage are investigated, and the undiscovered vulnerabilities are considered to be vulnerabilities to be monitored.
  • As described above, potential attack routes are extracted based on the virtual vulnerabilities that are pseudo vulnerabilities and by discriminating the virtual vulnerabilities in the extracted attack routes, it is possible to grasp the vulnerabilities that could establish an attack route in the information system, that is, it is possible to grasp the vulnerabilities that could have an impact on the information system.
    • First Example Embodiment
  • Hereinbelow, a first example embodiment will be described with reference to the drawings.
  • <Classification of Vulnerability Types>
  • First, in order to facilitate understanding of the present example embodiment, how the vulnerabilities (the vulnerability information) are handled in the present example embodiment will be described. In the present example embodiment, the vulnerabilities are classified into predetermined types that are arbitrary determined based on the content of the attack. While various vulnerabilities are already discovered for each software (product) and for content of each attack, the vulnerabilities can be classified into several types based on the “attack category” and the “impact of exploitation”. The “attack category” is a category such as remote attack/local attack and the like (an intrusion method). The “impact of exploitation” refers to an impact on the system when the vulnerabilities are exploited (the result of the attack).
  • FIG. 3 shows a specific example of the classification of the types of vulnerabilities. For example, as the vulnerability information acquired from the public databases and the like, there are vulnerability information X and vulnerability information Y as shown in FIG. 3 . The vulnerability information includes the “target product”, which is the target of the attack and the “content of the vulnerability”, which is the details of the vulnerability. The target products of the vulnerability X and the vulnerability Y are “software A” and “software B”, respectively, and while the target products differ, the contents of the vulnerabilities are the same, that is “allowing an attacker to execute a malicious code by exploiting the vulnerabilities remotely”. Therefore, when the “attack category” and the “impact of exploitation” are extracted from the contents of the vulnerabilities and the vulnerability X and the vulnerability Y are classified by their types, the vulnerability type of the vulnerability X falls under the category of “remote” for the attack category and under the category of “arbitrary code execution” for the impact of exploitation, and the vulnerability type of the vulnerability Y and the impact of exploitation of the vulnerability Y fall also under the same attack category and the same impact of exploitation as those of the vulnerability X.
  • As described above, by converting the vulnerabilities (the vulnerability information) into the vulnerability types, even when the vulnerabilities are different from one another, they can be handled as the same type. In the present example embodiment, as a way of analyzing the vulnerabilities, there is a method of discriminating the types of the vulnerabilities of the node in the attack route to thereby grasp the impact of the vulnerabilities on the information system. For example, when the types of the vulnerabilities that could be exploited in an attack can be discriminated, that is, when there is vulnerability of a type that could be attacked if discovered, such type of vulnerability is to be monitored.
  • <System Configuration>
  • FIG. 4 is a configuration example of an analysis system 1 according to the present example embodiment. The analysis system 1 according to the present example embodiment analyzes the potential vulnerabilities (the attack route) in the information system to be analyzed and visualizes the analysis result.
  • As shown in FIG. 4 , the analysis system (the analysis apparatus) 1 includes a risk visualizing apparatus 100, a system configuration information DB (database) 200, and a vulnerability information DB 300. The system configuration information DB 200 and the vulnerability information DB 300 may be connected to the risk visualizing apparatus 100 via a network such as the internet or may be directly connected to the risk visualizing apparatus 100. Further, the system configuration information DB 200 and the vulnerability information DB 300 may be storage devices incorporated in the risk visualizing apparatus 100.
  • The system configuration information DB 200 is a database for storing, in advance, the system configuration information of the information system to be analyzed. The system configuration information includes hardware information, software information, network information, various setting information, and the like of node devices (terminals) constituting the information system.
  • The vulnerability information DB 300 is a database for storing the vulnerability information of already-discovered (disclosed) vulnerability. As shown in, for instance, FIG. 3 , the vulnerability information includes the target product and the content of the vulnerability for each vulnerability. Further, the vulnerability information is classified into vulnerability types (attack category and impact of exploitation) in advance. The vulnerability information DB 300 may store, in addition to the vulnerability information that is made public by public organizations such as IPA, CVE, NVD, and JVN (Japan Vulnerability Notes), vulnerability information that is made public by security vendors and other vendors. Further, as long as the vulnerability information that is made public can be acquired, the configuration is not limited to databases and may be any configuration such as a blog.
  • The risk visualizing apparatus 100 includes a virtual vulnerability setting unit 101, an analysis element setting unit 102, an attack route analysis unit 103, an attack route extraction unit 104, a vulnerability analysis unit 105, and a display unit 106. Note that other configuration may be adopted as long as the operations described later can be performed.
  • The virtual vulnerability setting unit 101 sets the virtual vulnerabilities in the nodes constituting the information system to be analyzed. The virtual vulnerabilities are vulnerability type of virtual (pseudo) vulnerabilities. The virtual vulnerabilities encompass vulnerabilities of all possible vulnerability types, that is, the virtual vulnerabilities include all of the prescribed vulnerability types into which the vulnerabilities are classified. By setting the above-described virtual vulnerabilities, it is possible to extract all potential attack routes.
  • FIG. 5 shows a specific example of virtual vulnerabilities. The vulnerability type includes the “attack category” and the “impact of exploitation”, and the virtual vulnerabilities are every combination of the type of “attack category” and the type of “impact of exploitation”. For example, there are two types of attack category of “remote” and “local”, and there are four types of impact of exploitation of “arbitrary code execution”, “data access”, “data tampering”, and “Dos (Denial of Service)”. In this case, as shown in FIG. 5 , eight types of vulnerabilities are the virtual vulnerabilities. Note that FIG. 5 is a mere example and other types of virtual vulnerabilities may be included as necessary. For example, the “administrator privileges”, “general-user privileges”, and the like may be included in the attack category, or the “privilege escalation” and the like may be included in the impact of exploitation.
  • In order to generate the attack graph, the analysis element setting unit 102 sets analysis elements such as an intrusion point (entry point) of the attack route in the information system and an attack target. For example, the analysis elements may be set in advance or may be set by a user operation or the like. The attack route analysis unit 103 analyzes the attack route (the attack path) based on the analysis elements such as the set intrusion point and attack target. The attack path extraction unit 104 generates the attack graph by using the attack graph generation technique (attack graph generation tool) based on the analysis result, and extracts all potential attack routes from the generated attack graph. The attack graph is a graph showing attack steps assumed for the information system to be analyzed is applied, and nodes passing through the attack steps in order from the intrusion point to the attack target are connected. The connection route of the nodes from the intrusion point to the attack target in the attack graph is the attack route.
  • The vulnerability analysis unit (the discrimination unit) 105 analyzes the virtual vulnerabilities in the extracted attack route and discriminates the vulnerabilities to be monitored. The vulnerability analysis unit 105 discriminates the vulnerability to be monitored based on whether the virtual vulnerability in the attack route is vulnerability that is already discovered or not. When the virtual vulnerability in the attack route is previously-undiscovered vulnerability, the vulnerability analysis unit 105 determines that monitoring is to be performed for such undiscovered virtual vulnerability.
  • The display unit (the output unit) 106 is a display apparatus that displays the analysis result and the like and displays the discriminated vulnerability to be monitored and the like using the GUI (Graphical User Interface) and the like. For example, the display unit 106 distinguishably displays the vulnerability to be monitored in the attack route and the other vulnerabilities in the attack route. The display unit 106 is a liquid crystal display, an organic EL display, or the like and may be an external device of the risk visualizing apparatus 100. Note that the monitoring targets and the like may be output not only by displaying but also by other methods (by e-mails, data transmission or the like).
  • <Operation of System>
  • FIG. 6 shows an operation example (an analysis method) of the analysis system 1 according to the present example embodiment. As shown in FIG. 6 , first, the risk visualizing apparatus 100 sets the virtual vulnerabilities (S201). The virtual vulnerability setting unit 101 generates the virtual vulnerabilities (the virtual vulnerability information) including all vulnerability types (e.g. 8 types) shown in FIG. 5 . Further, the virtual vulnerability setting unit 101 acquires the system configuration information of the information system to be analyzed from the system configuration information DB 200 and sets the generated virtual vulnerabilities in each node configuring the information system. The node is a device such as a terminal or a server that could be the target whose vulnerabilities are exploited and is, for instance, a hardware but it may be a software.
  • FIG. 7 shows a configuration example of an information system to be analyzed. As shown in FIG. 7 , for instance, the information system 400 is a production management system including an information network 410, a control network 420, and a field network 430. The information network 410 is connected to the internet 401 via a firewall FW1 and includes an OA terminal 411. The control network 420 is connected to the information network 410 via a firewall FW2, and includes a log server 421, a maintenance server 422, a monitoring control server 423, and an HMI (Human Machine Interface) 424. The field network 430 is connected to the control network 420 via programmable logic controllers PLC1 and PLC2, and includes IoT device 431, FA (Factory Automation) device 432, and the like.
  • The virtual vulnerability setting unit 101 sets the virtual vulnerabilities in every node in the information system 400. In this example, virtual vulnerabilities are set in the OA terminal 411, the log server 421, the maintenance server 422, the monitoring control server 423, the HMI 424, the IoT device 431, and the FA device 432. Note that when the virtual vulnerabilities are applicable, the virtual vulnerabilities may be set in the firewalls FW1 and FW2, repeaters such as the programmable logic controllers PLC1 and PLC2, and the like.
  • Next, the risk visualizing apparatus 100 analyzes the attack route (S202). The analysis element setting unit 102 sets analytical elements such as the intrusion point of the attack route and the target of attack, and the attack route analysis unit 103 analyzes the attack route based on the set analytical elements.
  • For example, the display unit 106 displays a display screen 501 like that shown in FIG. 8 , which enables the user to set the analytical elements via the GUI of the display screen 501. In the example shown in FIG. 8 , the system configuration of the information system 400 is displayed on the display screen 501, and the user selects the node to thereby set the analytical elements such as the intrusion point and the attack target. Nodes may be added to the information system as necessary. For instance, the internet 401 and a newly added bring-in PC (Personal Computer) 411 may be set as the intrusion point of attack and the monitoring control server 423 and the HMI 424 may be set as the attack targets.
  • The attack route analysis unit 103 may analyze the attack route from the set intrusion point and the attack target or may analyze the arbitrarily designated attack route. For example, as the analytical elements, as shown in FIG. 9 , in addition to the intrusion point and the attack target, the final attack (the result of the attack), the assumed attack path (the attack route) between the nodes, and the like are set, and the attack route is analyzed.
  • Next, the risk visualizing apparatus 100 extracts the attack route (S203). The attack route extraction unit 104 generates an attack graph using the attack graph generation technique based on the information that is set and analyzed and extracts all potential attack routes. That is, by inputting the system configuration information to which the virtual vulnerabilities are set to the attack graph generation technique, an attack graph showing an attack from the intrusion point to the attack target via the virtual vulnerabilities of the nodes is generated.
  • FIG. 10 shows a specific example of an attack graph to be generated. The attack graph shown in FIG. 10 includes all attack routes from the internet 401 to the attack target with the internet 401 being the intrusion point. For instance, the attack routes r1 and r2 are examples of the attack routes from the internet 401 to the monitoring control server 423. The attack route r1 is a route of intrusion from the internet 401 to attack the monitoring control server 423 via the OA terminal 411, the log server 421, and the maintenance server 422. The attack route r1 is a route of intrusion from the internet 401 to attack the monitoring control server 423 via the OA terminal 411 and the log server 421.
  • The attack route consists of attack paths between nodes. Each attack path has the path establishment conditions set for node-to-node attacks to be established. For example, the attack route r2 includes an attack path p1 between the internet 401 and the OA terminal 411, an attack path p2 between the OA terminal 411 and the log server 421, and an attack path p3 between the log server 421 and the monitoring control server 423. That is, when attack paths p1 to p3 subsequently receive attacks that meet the path establishment conditions, attack to the attack target succeeds along the attack route r2. As shown in FIG. 10 , the path establishment conditions of the attack path includes, for example, the attack source, the attack target, the attack conditions (the condition of attack source), the result of the attack (the conditions of the attack target), and the means of attack (the virtual vulnerabilities).
  • Next, the risk visualizing apparatus 100 analyzes the vulnerabilities (S204). The vulnerability analysis unit 105 analyzes the virtual vulnerabilities in the attack route extracted from the attack graph. The vulnerability analysis unit 105 refers to each attack path included in the attack route in the attack graph and grasps all virtual vulnerabilities (a list of vulnerabilities) in the attack route from the starting point of the attack to the end of the attack. All attack routes included in the attack graph may be analyzed or only the shortest route may be analyzed. By analyzing all attack routes, it is possible to comprehensively analyze potential attack routes. Further, since the shortest route has the highest risk of being attacked, by analyzing only the shortest route, it is possible to effectively analyze the vulnerabilities of high risk.
  • FIG. 11 shows an example of virtual vulnerabilities grasped in the attack route. For example, assuming that the attack route r2 is the shortest route and referring to the attack path p2 of the attack route r2, the path establishment conditions of the attack path p2 includes an OA terminal for the attack source, a log server for the attack target, execution of arbitrary code on the attack conditions, execution of arbitrary code on the attack results, and virtual vulnerability V1 and virtual vulnerability V2 for means of attack. The virtual vulnerabilities V1 and V2 are any type of the virtual vulnerabilities shown in, for example, FIG. 5 . From this path establishment conditions, as the vulnerabilities for the attack path p2 to be established, the virtual vulnerability V1 that enables an arbitrary code execution on the OA terminal 411 and the virtual vulnerability V1 and the virtual vulnerability V2 that enable an arbitrary code execution on the log server 421 are grasped. In the example shown in FIG. 11 , as the vulnerabilities for the attack path p2 and the attack path p3 to be established, the virtual vulnerability V3 that enables the data access by the log server 421 and the virtual vulnerability V3 that enables the data access by the monitoring control server 423 and the virtual vulnerability V1 that enables arbitrary code execution are grasped. For example, when arbitrary code execution according to the virtual vulnerability V1 and the virtual vulnerability V2 is performed by the log server 421 after the arbitrary code execution according to the virtual vulnerability V1 is performed by the OA terminal 411, or when arbitrary code execution according to the virtual vulnerability V1 and the virtual vulnerability V2 is performed after data access according to the virtual vulnerability V3 is performed by the log server 421, the monitoring control server 423 can be accessed. Further, the monitoring control server 423 performs data access according to the virtual vulnerability V3 and when arbitrary code execution is performed according to the virtual vulnerability V1, the final critical assets are affected. In the present example embodiment, based on the virtual vulnerability that causes establishment of the potential attack route that could affect the critical assets, the vulnerability to be monitored is discriminated.
  • The risk visualizing apparatus 100 checks whether the virtual vulnerabilities are vulnerabilities that are already-discovered/previously-undiscovered (S205), and when the virtual vulnerability is vulnerability that is previously-undiscovered, such previously-undiscovered vulnerability (the vulnerability type) is to be monitored (S206). The vulnerability analysis unit 105 refers to the vulnerability information DB 300 that stores the already-discovered vulnerabilities and confirms whether each virtual vulnerability (the vulnerability type) that has been grasped in the attack route is the vulnerability that has been already discovered or not. For instance, the vulnerability information DB 300 stores the vulnerability information including the vulnerability type of the vulnerability that is already discovered (disclosed). The vulnerability type (the attack category and the impact of exploitation) of the virtual vulnerability and the vulnerability type of the already-discovered vulnerability are compared and whether the vulnerabilities match each other are checked for. When there is no applicable vulnerability present in the vulnerability information DB 300, that is, when the virtual vulnerability in the attack route is previously-undiscovered vulnerability, such previously-undiscovered virtual vulnerability (the vulnerability type) is determined as vulnerability that could establish an attack route and is to be monitored. Note that the already-discovered vulnerability may be included in the vulnerability to be monitored as necessary.
  • For example, as shown in FIG. 12 , assume that the virtual vulnerability V1 of the OA terminal 411 and the virtual vulnerabilities V1 and V3 of the monitoring control server 423 are already-discovered vulnerabilities, and the virtual vulnerabilities V1 to V3 of the log server 421 are previously-undiscovered vulnerabilities. Then, when the virtual vulnerabilities V1 to V3 of the log server 421 that are vulnerabilities that previously undiscovered but later discovered as new vulnerabilities, an attack route will be established and so the virtual vulnerabilities V1 to V3 of the log server 421 are vulnerabilities to be monitored.
  • Next, the risk visualizing apparatus 100 displays the analysis result (S207). The display unit 106 displays the vulnerability (the vulnerability type) to be monitored in the information system 400 and the attack route which includes the vulnerability in an identifiable manner. Further, only potential attack routes may be displayed, or the vulnerabilities to be monitored in the potential attack routes may be displayed. FIGS. 13 and 14 show the display examples of the analysis results.
  • FIG. 13 is an example in which only the potential attack routes are displayed. As shown in FIG. 13 , a display screen 502 includes, for example, a system information display region 502 a, an attack route information display region 502 b, and a reference information display region 502 c.
  • The system information display region 502 a displays the system configuration analyzed by the information system 400, displays the set intrusion point and the attack target, and displays the extracted attack route from the intrusion point to the attack target. Among the attack routes, the attack paths which include already-discovered vulnerabilities (the attack paths that are already existing) and the attack paths which include previously-undiscovered vulnerabilities (the potential paths for which vulnerabilities that are exploitable are not discovered) are displayed distinguishably.
  • For instance, the attack path 521 between the internet 401 and the OA terminal 411 is an attack path which includes already-discovered vulnerabilities and is shown by a solid line (e.g. a red solid line). Further, since the attack paths 522 to 526 from the OA terminal 411 to the monitoring control server 423 and the HMI 424 are attack paths which include previously-undiscovered vulnerabilities (non-attack routes), they are shown by dashed lines (e.g. blue dashed lines).
  • Further, the attack steps (the procedure of attack) in the analyzed attack route are displayed. For example, in the attack step A1, it is displayed that there is a possibility of the OA terminal 411 being infected with an email virus, and in the attack step A2, it is displayed that that the log server 421 cannot be intruded owing to the firewall FW2.
  • The attack route information display region 502 b displays detailed information (such as risks etc.) with respect to the attack route displayed in the system information display region 502 a. Such display is performed in correspondence with the attack steps in the attack route displayed in the system information display region 502 a. The risk due to the attack path which includes the already-discovered vulnerabilities and the risk due to the attack path which includes previously-undiscovered vulnerabilities are displayed distinguishably (by changing colors or the like). For instance, in the display of the attack step A1, it is explained that there is a risk of the OA terminal 411 being attacked. Further, in the display of the attack step A2, it is explained that there is no risk of the system being intruded further than the log server 421. In the attack step A2, a mark or the like indicating safety is displayed.
  • The reference information display region 502 c displays the reference information with respect to the detailed information of the attack route displayed in the attack route information display region 502 b. Display is performed in correspondence with the attack steps in the attack route in the similar manner as that performed in the attack route information display region 502 b. For example, in the attack step A1, since the attack route includes already-discovered vulnerabilities, as the reference information, link information (information source) of a website whose vulnerabilities are made public and the like are displayed as the reference information.
  • FIG. 14 is an example showing vulnerabilities that reveal the attack routes. As shown in FIG. 14 , a display screen 503 includes, like the display screen shown in FIG. 13 , a system information display region 503 a, an attack route information display region 503 b, and a reference information display region 503 c.
  • The system information display region 503 a displays the system configuration and the attack route of the analyzed information system 400 like in the display example shown in FIG. 13 . The attack path 531 is indicated by a solid line and the attack paths 532 to 536 are indicated by dashed lines. In this example, the attack path 534 includes already-discovered vulnerabilities (vulnerabilities to be monitored) but since the attack path 534 is not connected to serve as an attack route, the attack path is indicated by bold dashed lines (e.g. red dashed lines). Further, as the attack steps in the attack route, it is displayed in the attack step A1 that the OA terminal 411 is infected with an email virus, in the attack step A2 that the log server 421 is under a risk of being intruded, and in the attack step A3 that the monitoring control server 423 is under a risk of being exploited of its vulnerabilities. In the attack step A2, when vulnerabilities are discovered, the attack route is connected whereby the attack path is shown in bold (e.g. blue bold letters).
  • Like in FIG. 13 , the attack route information display region 503 b displays detailed information corresponding to the attack steps in the attack route displayed in the system information display region 503 a. For instance, in the display of the attack step A1, it is described that there a risk of the OA terminal 411 being attacked. Further, in the display of the attack step A2, when vulnerability is discovered, it is explained that there is a risk of the log server 421 being intruded. In the attack step A2, a mark or the like is displayed indicating that vulnerabilities are not yet discovered but attention needs to be paid thereto. In the display of the attack step A3, it is explained that there is a risk of the monitoring control server 423, which is set as the attack target, being intruded after the attack step A2. Further, damage caused to the business may be displayed as the final result of attack.
  • The reference information display region 503 c displays the reference information corresponding to the attack steps in the attack route displayed in the attack route information display region 503 b like in the display example shown in FIG. 13 . For example, in the attack step A1 and the attack step A3, reference information related to the already-discovered vulnerabilities is displayed. In the attack step A2, it is displayed that attention needs to be paid to the vulnerability information since the system may be intruded if vulnerability is discovered.
  • <Effect>
  • As described above, in the present example embodiments, virtual vulnerabilities including all vulnerability types are set in every node of the information system, potential attack route is extracted using the attack graph generation technique, and the virtual vulnerabilities in the potential attack route is grasped. Based on whether the virtual vulnerability is the already-discovered/previously-undiscovered virtual vulnerability, when new vulnerability is discovered, discrimination is performed as to the possibility of the attack route being established. By this configuration, there is no need to confirm the impact of all the vulnerabilities that are discovered on the information system, and it is possible to manage vulnerabilities of the information system by only confirming (monitoring) the vulnerabilities that are determined in the present example embodiment, whereby it is possible to reduce the burden of management work.
    • Other Example Embodiments
  • The analysis method according to the first example embodiment may be implemented on a periodic basis. Since the database of the vulnerability information is updated as needed to thereby add new vulnerabilities, it is desirable to analyze vulnerabilities using more recent information. For example, the previous analysis result is stored in the storage device and by repeating determination as to whether the virtual vulnerabilities are those that are already-discovered/previously-undiscovered on a periodic basis, it is possible to detect that the vulnerability included in the attack route is newly discovered vulnerability. That is, the risk visualizing apparatus 100 may include a notification unit (an output unit) that refers to the vulnerability information DB 300, detects whether or not vulnerability determined to be monitored is the newly discovered vulnerability, and issues a notification when the vulnerability is the newly discovered vulnerability.
  • Note that each of the configurations in the above-described example embodiments is constituted by hardware and/or software, and may be constituted by one piece of hardware or software, or may be constituted by a plurality of pieces of hardware or software. As shown in FIG. 15 , each apparatus and each function (processing) may be implemented by a computer 20 including a processor 21 such as a CPU (Central Processing Unit) and a memory 22 as a storage device. For example, programs (analysis programs) for performing the method according to the example embodiments may be stored in the memory 22, and each function may be implemented by the processor 21 executing the programs stored in the memory 22.
  • These programs can be stored and provided to a computer using any type of non-transitory computer readable media. Non-transitory computer readable media include any type of tangible storage media. Examples of non-transitory computer readable media include magnetic storage media (e.g. floppy disks, magnetic tapes, hard disk drives, etc.), optical magnetic storage media (e.g. magneto-optical disks), CD-ROM (Read Only Memory), CD-R, CD-R/W, and semiconductor memories (such as mask ROM, PROM (programmable ROM), EPROM (Erasable PROM), flash ROM, RAM (random access memory), etc.). The program may be provided to a computer using any type of transitory computer readable media. Examples of transitory computer readable media include electric signals, optical signals, and electromagnetic waves. Transitory computer readable media can provide the program to a computer via a wired communication line such as electric wires and optical fibers or a wireless communication line.
  • Note that the present disclosure is not limited to the above-described example embodiments, and can be appropriately changed without departing from the spirit of the present disclosure.
  • The present disclosure has been described with reference to the example embodiments. However, it should be noted that the present disclosure is not to be limited in any way by the example embodiments described above. The configuration and the details of the present disclosure can be modified in various ways that can be understood by one skilled in the art within the scope of present disclosure.
  • The whole or part of the example embodiments disclosed above can be described as, but not limited to, the following supplementary notes.
  • (Supplementary Note 1)
  • An analysis apparatus comprising:
  • setting means for setting virtual vulnerabilities in a plurality of nodes configuring an information system to be analyzed;
  • extraction means for extracting an attack route of the information system based on the set virtual vulnerabilities; and
  • discrimination means for discriminating vulnerabilities to be monitored based on the virtual vulnerabilities in the extracted attack route.
  • (Supplementary Note 2)
  • The analysis apparatus as described in Supplementary note 1, wherein the virtual vulnerabilities include vulnerability types into which the vulnerabilities are pseudo-classified.
  • (Supplementary Note 3)
  • The analysis apparatus as described in Supplementary note 2, wherein the virtual vulnerabilities include possible vulnerability types into which the vulnerabilities are classified.
  • (Supplementary Note 4)
  • The analysis apparatus as described in Supplementary note 3, wherein each of the vulnerability types includes a type of intrusion method or a type of result of attack.
  • (Supplementary Note 5)
  • The analysis apparatus as described in Supplementary note 4, wherein each of the virtual vulnerabilities is a combination of the type of intrusion method and the type of result of attack.
  • (Supplementary Note 6)
  • The analysis apparatus as described in Supplementary note 4 or 5, wherein the intrusion method includes a remote attack or a local attack.
  • (Supplementary Note 7)
  • The analysis apparatus as described in any one of Supplementary notes 4 to 6, wherein the result of attack includes arbitrary code execution, data access, data tampering, and DoS (Denial of Service).
  • (Supplementary Note 8)
  • The analysis apparatus as described in any of Supplementary notes 1 to 7, wherein the extraction means generates an attack graph based on the virtual vulnerabilities and extracts the attack route from the generated attack graph.
  • (Supplementary Note 9)
  • The analysis apparatus as described in Supplementary note 8, wherein the generated attack graph includes conditions for establishing an attack path between the plurality of nodes.
  • (Supplementary Note 10)
  • The analysis apparatus as described in Supplementary note 9, wherein the discrimination means grasps the virtual vulnerabilities in the attack path based on the conditions for establishing the attack path.
  • (Supplementary Note 11)
  • The analysis apparatus as described in Supplementary note 10, wherein the discrimination means grasps the virtual vulnerabilities in all attack routes that are included in the attack graph.
  • (Supplementary Note 12)
  • The analysis apparatus as described in Supplementary note 10, wherein the discrimination means grasps the virtual vulnerability in the shortest route among the attack routes included in the attack graph.
  • (Supplementary Note 13)
  • The analysis apparatus as described in any of Supplementary notes 1 to 12, wherein the discrimination means discriminates the vulnerability to be monitored based on whether the virtual vulnerability in the attack route is vulnerability that is already discovered or not.
  • (Supplementary Note 14)
  • The analysis apparatus as described in Supplementary note 13, wherein when the virtual vulnerability in the attack route is not vulnerability that is already-discovered vulnerability, the discrimination means determines that the vulnerability is vulnerability to be monitored.
  • (Supplementary Note 15)
  • The analysis apparatus as described in any of Supplementary notes 1 to 14, further comprising output means for outputting the discriminated vulnerability to be monitored.
  • (Supplementary Note 16)
  • The analysis apparatus as described in Supplementary note 15, wherein the output means distinguishably displays the vulnerability to be monitored and other vulnerabilities in the attack route.
  • (Supplementary Note 17) An analysis method comprising:
  • setting virtual vulnerabilities in a plurality of nodes configuring an information system to be analyzed;
  • extracting an attack route of the information system based on the set virtual vulnerabilities; and
  • discriminating vulnerabilities to be monitored based on the virtual vulnerabilities in the extracted attack route.
  • (Supplementary Note 18)
  • The analysis method as described in Supplementary note 17, wherein the virtual vulnerabilities include vulnerability types into which the vulnerabilities are pseudo-classified.
  • (Supplementary Note 19)
  • An analysis program for causing a computer to execute the processing of:
  • setting virtual vulnerabilities in a plurality of nodes configuring an information system to be analyzed;
  • extracting an attack route of the information system based on the set virtual vulnerabilities; and
  • discriminating vulnerabilities to be monitored based on the virtual vulnerabilities in the extracted attack route.
  • (Supplementary Note 20)
  • The analysis program as described in Supplementary note 19, wherein the virtual vulnerabilities include vulnerability types into which the vulnerabilities are pseudo-classified.
    • REFERENCE SIGNS LIST
    • 1 ANALYSIS SYSTEM
    • 10 ANALYSIS APPARATUS
    • 11 SETTING UNIT
    • 12 EXTRACTION UNIT
    • 13 DISCRIMINATION UNIT
    • 20 COMPUTER
    • 21 PROCESSOR
    • 22 MEMORY
    • 100 RISK VISUALIZING APPARATUS
    • 101 VIRTUAL VULNERABILITY SETTING UNIT
    • 102 ANALYSIS ELEMENT SETTING UNIT
    • 103 ATTACK ROUTE ANALYSIS UNIT
    • 104 ATTACK ROUTE EXTRACTION UNIT
    • 105 VULNERABILITY ANALYSIS UNIT
    • 106 DISPLAY UNIT
    • 200 SYSTEM CONFIGURATION INFORMATION DB
    • 300 VULNERABILITY INFORMATION DB
    • 400 INFORMATION SYSTEM
    • 401 INTERNET
    • 410 INFORMATION NETWORK
    • 411 OA TERMINAL
    • 420 CONTROL NETWORK
    • 421 LOG SERVER
    • 422 MAINTENANCE SERVER
    • 423 MONITORING CONTROL SERVER
    • 424 HMI
    • 430 FIELD NETWORK
    • 431 IoT DEVICE
    • 432 FA DEVICE
    • 501, 502, 503 DISPLAY SCREEN
    • 502 a, 503 a SYSTEM INFORMATION DISPLAY REGION
    • 502 b, 503 b ATTACK ROUTE INFORMATION DISPLAY REGION
    • 502 c, 503 c REFERENCE INFORMATION DISPLAY REGION
    • FW1, FW2 FIREWALL
    • PLC1, PLC2 PROGRAMMABLE LOGIC CONTROLLER

Claims (20)

What is claimed is:
1. An analysis apparatus comprising:
a memory storing instructions, and
a processor configured to execute the instructions stored in the memory to;
set virtual vulnerabilities in a plurality of nodes configuring an information system to be analyzed;
extract an attack route of the information system based on the set virtual vulnerabilities; and
discriminate vulnerabilities to be monitored based on the virtual vulnerabilities in the extracted attack route.
2. The analysis apparatus according to claim 1, wherein the virtual vulnerabilities include vulnerability types into which the vulnerabilities are pseudo-classified.
3. The analysis apparatus according to claim 2, wherein the virtual vulnerabilities include possible vulnerability types into which the vulnerabilities are classified.
4. The analysis apparatus according to claim 3, wherein each of the vulnerability types includes a type of intrusion method or a type of result of attack.
5. The analysis apparatus according to claim 4, wherein each of the virtual vulnerabilities is a combination of the type of intrusion method and the type of result of attack.
6. The analysis apparatus according to claim 4, wherein the intrusion method includes a remote attack or a local attack.
7. The analysis apparatus according to claim 4, wherein the result of attack includes arbitrary code execution, data access, data tampering, and DoS (Denial of Service).
8. The analysis apparatus according to claim 1, wherein the processor is further configured to execute the instructions stored in the memory to generates an attack graph based on the virtual vulnerabilities and extract the attack route from the generated attack graph.
9. The analysis apparatus according to claim 8, wherein the generated attack graph includes conditions for establishing an attack path between the plurality of nodes.
10. The analysis apparatus according to claim 9, wherein the processor is further configured to execute the instructions stored in the memory to grasp the virtual vulnerabilities in the attack path based on the conditions for establishing the attack path.
11. The analysis apparatus according to claim 10, wherein the processor is further configured to execute the instructions stored in the memory to grasp the virtual vulnerabilities in all attack routes that are included in the attack graph.
12. The analysis apparatus according to claim 10, wherein the processor is further configured to execute the instructions stored in the memory to grasp the virtual vulnerability in the shortest route among the attack routes included in the attack graph.
13. The analysis apparatus according to claim 1, the processor is further configured to execute the instructions stored in the memory to discriminate the vulnerability to be monitored based on whether the virtual vulnerability in the attack route is vulnerability that is already discovered or not.
14. The analysis apparatus according to claim 13, wherein the processor is further configured to execute the instructions stored in the memory to, when the virtual vulnerability in the attack route is not vulnerability that is already-discovered vulnerability, determine that the vulnerability is vulnerability to be monitored.
15. The analysis apparatus according to claim 1, wherein the processor is further configured to execute the instructions stored in the memory to output the discriminated vulnerability to be monitored.
16. The analysis apparatus according to claim 15, wherein the processor is further configured to execute the instructions stored in the memory to distinguishably display the vulnerability to be monitored and other vulnerabilities in the attack route.
17. An analysis method comprising:
setting virtual vulnerabilities in a plurality of nodes configuring an information system to be analyzed;
extracting an attack route of the information system based on the set virtual vulnerabilities; and
discriminating vulnerabilities to be monitored based on the virtual vulnerabilities in the extracted attack route.
18. The analysis method according to claim 17, wherein the virtual vulnerabilities include vulnerability types into which the vulnerabilities are pseudo-classified.
19. A non-transitory computer readable medium storing an analysis program for causing a computer to execute the processing of:
setting virtual vulnerabilities in a plurality of nodes configuring an information system to be analyzed;
extracting an attack route of the information system based on the set virtual vulnerabilities; and
discriminating vulnerabilities to be monitored based on the virtual vulnerabilities in the extracted attack route.
20. The non-transitory computer readable medium according to claim 19, wherein the virtual vulnerabilities include vulnerability types into which the vulnerabilities are pseudo-classified.
US17/785,487 2019-12-25 2019-12-25 Analysis apparatus, analysis method, and non-transitory computer readable mediumstoring analysis program Abandoned US20230024824A1 (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2019/050981 WO2021130933A1 (en) 2019-12-25 2019-12-25 Analysis device, analysis method, and non-transitory computer-readable medium in which analysis program is stored

Publications (1)

Publication Number Publication Date
US20230024824A1 true US20230024824A1 (en) 2023-01-26

Family

ID=76574093

Family Applications (1)

Application Number Title Priority Date Filing Date
US17/785,487 Abandoned US20230024824A1 (en) 2019-12-25 2019-12-25 Analysis apparatus, analysis method, and non-transitory computer readable mediumstoring analysis program

Country Status (3)

Country Link
US (1) US20230024824A1 (en)
JP (1) JP7331948B2 (en)
WO (1) WO2021130933A1 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP7648470B2 (en) * 2021-08-05 2025-03-18 Kddi株式会社 Attack detection device, attack detection method, and attack detection program
WO2025134247A1 (en) * 2023-12-20 2025-06-26 日本電気株式会社 Attack path presentation device, attack path presentation method, and recording medium having attack path presentation program stored thereon
CN117459323B (en) * 2023-12-21 2024-02-27 杭州海康威视数字技术股份有限公司 Threat modeling method and device for intelligent evolution of Internet of Things devices
WO2025182068A1 (en) * 2024-03-01 2025-09-04 日本電気株式会社 Risk management support device, risk management support method, and storage medium

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002096013A1 (en) * 2001-05-18 2002-11-28 Achilles Guard, Inc. Network security
US20060021034A1 (en) * 2004-07-22 2006-01-26 Cook Chad L Techniques for modeling changes in network security
US20060090205A1 (en) * 2004-10-26 2006-04-27 The Mitre Corporation System and method to emulate mobile logic in a communication system
US7315801B1 (en) * 2000-01-14 2008-01-01 Secure Computing Corporation Network security modeling system and method
US20130167238A1 (en) * 2011-12-23 2013-06-27 Mcafee, Inc. System and method for scanning for computer vulnerabilities in a network environment
US20130326623A1 (en) * 2012-06-05 2013-12-05 Empire Technology Development Llc Cross-user correlation for detecting server-side multi-target intrusion
EP3376423A1 (en) * 2017-03-14 2018-09-19 Gemalto Sa Self-adaptive countermeasures
EP2912802B1 (en) * 2012-10-23 2018-11-21 Raytheon Company Method and device for simulating network resiliance against attacks
US10289841B2 (en) * 2015-04-16 2019-05-14 Nec Corporation Graph-based attack chain discovery in enterprise security systems
US20190156027A1 (en) * 2017-11-23 2019-05-23 Nicira, Inc. Detecting lateral movement using a hypervisor

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4733885B2 (en) * 2001-09-29 2011-07-27 株式会社東芝 Vulnerability assessment program, method and system
JP5567113B2 (en) * 2012-12-28 2014-08-06 株式会社日立システムズ Vulnerability analyzer, vulnerability analysis program, and vulnerability analysis method
JP6312578B2 (en) * 2014-11-07 2018-04-18 株式会社日立製作所 Risk assessment system and risk assessment method
US10367846B2 (en) * 2017-11-15 2019-07-30 Xm Cyber Ltd. Selectively choosing between actual-attack and simulation/evaluation for validating a vulnerability of a network node during execution of a penetration testing campaign
WO2018215957A1 (en) * 2017-05-25 2018-11-29 XM Ltd. Verifying success of compromising a network node during penetration testing of a networked system

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7315801B1 (en) * 2000-01-14 2008-01-01 Secure Computing Corporation Network security modeling system and method
WO2002096013A1 (en) * 2001-05-18 2002-11-28 Achilles Guard, Inc. Network security
US20060021034A1 (en) * 2004-07-22 2006-01-26 Cook Chad L Techniques for modeling changes in network security
US20060090205A1 (en) * 2004-10-26 2006-04-27 The Mitre Corporation System and method to emulate mobile logic in a communication system
US20130167238A1 (en) * 2011-12-23 2013-06-27 Mcafee, Inc. System and method for scanning for computer vulnerabilities in a network environment
US20130326623A1 (en) * 2012-06-05 2013-12-05 Empire Technology Development Llc Cross-user correlation for detecting server-side multi-target intrusion
EP2912802B1 (en) * 2012-10-23 2018-11-21 Raytheon Company Method and device for simulating network resiliance against attacks
US10289841B2 (en) * 2015-04-16 2019-05-14 Nec Corporation Graph-based attack chain discovery in enterprise security systems
EP3376423A1 (en) * 2017-03-14 2018-09-19 Gemalto Sa Self-adaptive countermeasures
US20190156027A1 (en) * 2017-11-23 2019-05-23 Nicira, Inc. Detecting lateral movement using a hypervisor

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
K. Ingols, R. Lippmann and K. Piwowarski, "Practical Attack Graph Generation for Network Defense," 2006 22nd Annual Computer Security Applications Conference (ACSAC'06), Miami Beach, FL, USA, 2006, pp. 121-130, doi: 10.1109/ACSAC.2006.39. (Year: 2006) *
Swiler, L P, Phillips, C, and Gaylor, T. A graph-based network-vulnerability analysis system. United States: N. p., 1998. Web. doi:10.2172/573291. (Year: 1998) *

Also Published As

Publication number Publication date
JP7331948B2 (en) 2023-08-23
JPWO2021130933A1 (en) 2021-07-01
WO2021130933A1 (en) 2021-07-01

Similar Documents

Publication Publication Date Title
EP3588898B1 (en) Defense against apt attack
CN110933101B (en) Security event log processing method, device and storage medium
US20230018096A1 (en) Analysis apparatus, analysis method, and non-transitory computer readable medium storing analysis program
Khamphakdee et al. Improving intrusion detection system based on snort rules for network probe attack detection
US11956208B2 (en) Graphical representation of security threats in a network
JP5440973B2 (en) Computer inspection system and computer inspection method
US20230024824A1 (en) Analysis apparatus, analysis method, and non-transitory computer readable mediumstoring analysis program
EP3337106B1 (en) Identification system, identification device and identification method
US10033761B2 (en) System and method for monitoring falsification of content after detection of unauthorized access
WO2018218537A1 (en) Industrial control system and network security monitoring method therefor
CN105450442A (en) Network topology checking method and system thereof
KR101768079B1 (en) System and method for improvement invasion detection
CN113923021B (en) Sandbox-based encrypted traffic processing method, system, equipment and media
Nursidiq et al. Cyber threat hunting to detect unknown threats in the enterprise network
US11405411B2 (en) Extraction apparatus, extraction method, computer readable medium
CN116723055A (en) Vulnerability detection method and device, storage medium and electronic equipment
JPWO2017217247A1 (en) Malignant event detection apparatus, malignant event detection method, and malignant event detection program
KR101767591B1 (en) System and method for improvement invasion detection
Dharma Network attack detection using intrusion detection system utilizing snort based on telegram
CN115499236B (en) Access request processing method, device, medium and computing device
Saini et al. Vulnerability and Attack Detection Techniques: Intrusion Detection System
Kang et al. Whitelist generation technique for industrial firewall in scada networks
KR20170094673A (en) Apparatus for processing multi-source data and method using the same
Choi et al. Two-step hierarchical scheme for detecting detoured attacks to the web server
Redondo-Hernández et al. Detection of advanced persistent threats using system and attack intelligence

Legal Events

Date Code Title Description
AS Assignment

Owner name: NEC CORPORATION, JAPAN

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:UEDA, HIROFUMI;MIZUSHIMA, RYO;YAGYU, TOMOHIKO;REEL/FRAME:060207/0149

Effective date: 20220517

STPP Information on status: patent application and granting procedure in general

Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION

STPP Information on status: patent application and granting procedure in general

Free format text: NON FINAL ACTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: FINAL REJECTION MAILED

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION